Home > Resources > University Hospitals Sussex NHS Foundation Trust Occupational Health Services Privacy Notice – September 2023

University Hospitals Sussex NHS Foundation Trust Occupational Health Services Privacy Notice – September 2023

Download the PDF (257kB)

What is a privacy notice?

A Privacy Notice is a statement by the Trust to staff that describes how we collect, use, retain
and disclose personal and health information which we hold.


This Privacy Notice includes applicants, employees (and former employees), workers
(including agency, casual and contracted staff), volunteers, trainees, those carrying out work
experience and external clients to which University Hospitals Sussex NHS Foundation Trust
provides occupational health services.

Why issue a privacy notice?

This privacy notice is part of our commitment to ensure that we process your personal
information/data fairly and lawfully. This notice also explains what rights you have to control
how we use your information. It is part of ensuring compliance with the Data Protection Act
2018.

Collecting and processing your data

We collect and process your personal and health data in line with the Data Protection Act 2018.

Who is responsible for ensuring that my data is processed appropriately and kept safe?

University Hospitals Sussex NHS Foundation Trust (UHSussex) is the Data Controller for your
personal and health information.


The Trust also has a Data Protection Officer, Heidi Doubtfire-Lynn, who assists the
organisation by providing independent specialist advice on data protection obligations and
impact assessments. See below for contact details.

Why does University Hospitals Sussex NHS Foundation Trust Occupational Health services collect information about me?

University Hospitals Sussex NHS Foundation Trust Occupational Health Services (UHSussex
OHS) collect your data to help determine various matters in relation to your health and work to
keep both you and people you may be working with safe. This includes:

  • whether you have any health conditions that may make it difficult or unsafe for you to do a
    job
  • testing to ensure that the work environment isn’t harming your health (health surveillance)
  • whether you need any adjustments to help you successfully remain at or return to work
  • whether you need any vaccinations or blood tests in relation to your work
  • whether you would qualify for Ill Health Retirement

What information does UHSussex OHS collect about me?

  • We collect health data which could be supplied by you or your employer or University. We may also contact your GP, Specialist or other Healthcare Professional for health information but we would only do this with your written agreement (consent). We may also receive information from laboratories after testing your blood but again we would not test your blood without your consent.
  • Personal data includes your name; address; date of birth; email address; mobile no. etc. which we collect so as to be able to identify and contact you.
  • We may use a variety of means, including questionnaires, forms, direct questioning, and requests from third parties. Information may be collected by telephone, face-to-face, paper or electronic means.

If you work for public authorities, including the NHS and schools, we would process your data
under Article 6 (e) of the General Data Protection Regulations (GDPR):

“Public task: the processing is necessary for you to perform a task in the public interest or for
your official functions, and the task or function has a clear basis in law.”

If you do not work for or undertake placements in public authorities we would process your
data under Article 6 (f) of the GDPR:

Additionally as much of the data we hold is health data, which is known as “special category
data” we would process this data under Article 9(2) (h) of the GDPR:

“processing is necessary for the purposes of preventive or occupational medicine, for the
assessment of the working capacity of the employee…”

Who will receive my data?

Your data would only be shared with those that need to know.

  • If you are applying for a job, this could be your manager, Human Resources (HR) or the
    Trust’s recruitment services.
  • If you are already working, this could be your manager or HR.
  • Unless we are simply clearing you to start a job, ie. declaring you ‘fit’, we would ask your
    consent before providing your manager, recruitment, HR etc. with your health information
    and we would agree in advance with you what is to be shared.
  • No confidential information held by UHSussex OHS will be disclosed without your explicit
    informed consent with the exception of:
    o Where the disclosure is required by law (for example if ordered by a judge or a presiding
    officer of a court using a court order; to the HSE under the Health & Safety at Work etc.
    Act 1974; for statutory requirement to notify certain infectious diseases; to the NHS
    Counter Fraud Service to detect and prosecute Fraud);
    o Where the disclosure is in the public interest (for example where a worker’s health
    endangers others and the worker refuses to disclose information which would allow
    potential harm to be avoided).
    o Where disclosure of personal data is necessary for the above reasons, this will always
    be assessed on a case-by-case basis, using the minimum information necessary for
    the specific purpose and circumstances and with the appropriate security controls in
    place.
  • Your data is not processed, transmitted or stored outside of the UK and is not made available to others outside of the department unless there is a legitimate reason or consent has been provided.

How long will my data be stored?

  • Your data will be stored for six years after you leave your work or up to your 75th birthday if this is sooner before being destroyed.
  • Records of health surveillance will be kept for 40 years from the date of the last health
    surveillance, with the exception radiation medicals which are kept for 50 years.
  • If you supply information in relation to a new job and then do not start the job, your data
    will be stored for a maximum of one year.

Where will my data normally be stored?

  • Paper occupational records will be stored in lockable filing cabinets in lockable offices which are secured at night and when UHSussex OHS is not staffed. Electronic data will be stored on Trust computers which have appropriate security measures in place to prevent unauthorised access. OH administration staff processing your data are bound by confidentiality statements and clinical staff follow their professional code of conduct, not to disclose your data inappropriately.
  • On leaving your post the data held by UHSussex OHS will be archived. Our archiving
    services are bound by strict rules to ensure that the data is held securely and that
    confidentiality is maintained.

We do not process your data under the legal basis of “consent” but we would seek your consent to disclose information to your employer. You are able to withdraw your consent to the sharing of this information at any time before it is shared, unless there is a danger to your health or the health of others from not sharing this information as above.

How can I obtain a copy of my data?

In most instances you can be provided with a copy of your Occupational Health Records if you
contact UHSussex OHS as below. You will not normally be charged for this service unless
you request multiple copies.

What if I think my data is inaccurate or incomplete?

In most cases we will be able to quickly change inaccurate data or add to incomplete data if
requested by contacting UHSussex OHS as below

What if I think my data is no longer relevant?

We may be able to erase data if requested by you if your data is no longer required. It is,
however, unlikely that we would be able to erase your data where it is processed under Article
6 (e) of the GDPR: “Public task” for example health surveillance records or where we have
obtained the data to ensure that you or the people you will be working with remain safe. Please contact UHSussex OHS as below if you would like to discuss this further.

What if I don’t want my information processed?

You do have the right to object to the processing of your data, giving your reasons as to why
you object. In these cases we would need to weigh up your rights with the legal grounds for
continuing to process the data. If you do not provide the data requested or do not allow it to be processed we may not be able to provide health clearance for you to start a job or we may not be able to advise your employer whether you are fit to continue working or whether you need any adjustments to your job. Your employer may then have to make a decision without this information. Please contact UHSussex OHS as below if you would like to discuss this further.

What if I have further questions on the uses of my information?

Please contact UHSussex OHS or UHSussex Data Protection Officer Heidi Doubtfire-Lynn as
below.

What if I am unhappy about how my data is processed or have further questions on the uses of my information?

You have the right to complain if you are not satisfied with the way in which your data is
processed. We recommend that you initially contact UHSussex OHS as below. If this does
not resolve your issue you could also contact our Data Protection Officer Heidi Doubtfire-Lynn
or The Information Commissioner’s Office (ICO) as below.

Contacts

UHSussex Occupational Health Services
Occupational Health Services, University Hospitals Sussex NHS Foundation Trust,
The Art Block, St Mary’s Site, Eastern Road, BRIGHTON BN2 5BE
Tel: 01273 696955 ext. 62983
Email: [email protected]


UHSussex Data Protection Officer – Heidi Doubtfire-Lynn
[email protected]


Information Commissioner’s Office (ICO)
Helpline 0303 123 1113
Website: https://ico.org.uk/concerns

Page last reviewed: